Major Description
Using Picketlink SAML Post authentication, when I was working on cache configuration on Apache I have some issues because Picketlink are setting the headers:
Cache-control: no-cache
Pragma: no-cache
On all requests. I believe that was a misunderstood of the SAML 2 Spec:
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-binding-simplesign-cd-04.html
"HTTP proxies and the user agent intermediary should not cache SAML protocol messages. To ensure this, the following rules SHOULD be followed.
When returning SAML protocol messages using HTTP 1.1, HTTP responders SHOULD:
Include a Cache-Control header field set to "no-cache, no-store".
Include a Pragma header field set to "no-cache".
There are no other restrictions on the use of HTTP headers."
It's ok for SAML responses but this headers are setted on all requests including the static for static resources like js, css, etc..
Looking on picketlink federation source code I found two classes with can be doing this (It should help):
https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/util/HTTPRedirectUtil.java
https://github.com/picketlink/picketlink/blob/master/modules/federation/src/main/java/org/picketlink/identity/federation/web/util/PostBindingUtil.java
This issue can be easily reproduced through the picketlink quickstarts below:
https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-federation-saml-sp-post-basic
https://github.com/jboss-developer/jboss-picketlink-quickstarts/tree/master/picketlink-federation-saml-idp-basic
Disable picketlink on SP and that headers will disappear.
